Manualshelf

Setup guide

ManualsBrandsUpgrading everyday security ManualsHome building and DecorCommpact
11121314151617181920
VMware recommends that you let vShield App run during normal operations and use the vShield App
Flow Monitoring tool for baseline knowledge of the traffic flowing in and out of your virtual network. You
can then add rules according to the needs of your network.
Enabling the SpoofGuard feature of vShield App allows you to authorize the IP addresses reported by
VMware Tools, and alter them if necessary to prevent spoofing. Depending on the SpoofGuard mode you
choose, vShield App either automatically trusts IP assignments on their first use or requires you to manually
approve IP assignments before use. However, be aware that the IP address of a virtual machine may change
when the DHCP server renews a lease or is rebooted. This means that you must approve the new or
renewed IP address if the SpoofGuard feature is enabled.
Becoming familiar with the flow monitoring and SpoofGuard features before installing vShield App will
enable you to configure vShield App in the most secure way possible. For more information on these
features, see the vShield Administration Guide.
Deployment Considerations for vShield Edge
Before installing vShield Edge, you must become familiar with your network topology. vShield Edge can
have multiple interfaces, but you must connect at least one internal interface to a portgroup or VXLAN
virtual wire before you can deploy the vShield Edge.
The uplink interface provides connectivity to the outside world. You must have created and configured a
port group or VXLAN virtual wire that has external connectivity. You must also have a port group with
virtual machines to which you can connect the internal interface. Determine the IP addresses and subnets to
be provided for these interfaces. Also think about the services that you should enable and configure after
installing vShield Edge. For more information on vShield Edge services, see the vShield Administration Guide.
After you install vShield Edge and before you configure vShield Edge services, virtual machines in that port
groups(s) may lose network connectivity. To avoid this issue, you may create a new port group, install and
configure vShield Edge on it, and then move virtual machines to the port group.
Be aware that the default vShield Edge firewall policy blocks all incoming traffic, so you must add allow
rules as required.
Chapter 2 Preparing for Installation
VMware, Inc. 17